Tuesday, January 23, 2007

Outpost 4.0 Vulnerability Update

David Matousek released on 15 January 2007 details of an exploit that disables self-protection in Outpost Firewall Pro. Virus Bulletin published coverage of the exploit on 17 January 2007. See this link and this link for additional information.

Agnitum is aware of this issue and working on a fix for users that will be available before the end of this month.

However, there is more to this story.

Matousec.com, the site that announced the vulnerability, was founded by David MatouĊĦek in March 2006 and comprises a "small group of young people, mostly university students, who are interested in the Internet, security and other computer related topics". Unfortunately, while the group clearly has some understanding of technical security issues, they appear not to have grasped the commonly-accepted ethical principles of the information security business.

After testing Outpost Firewall Pro 4.0, Mr Matousek contacted Agnitum and suggested that we pay for a report on the issues (http://www.matousec.com/purchase.php) he discovered in Outpost Firewall. In our opinion, this is tantamount to blackmail, and so we declined to pay.

It is a generally accepted principle in the security community that, when a software vulnerability is discovered, the discoverer contacts the vendor and freely provides them with sufficient information to enable them to identify and repair that vulnerability. We were therefore taken by surprise when Mr Matousek took it upon himself to publish details of the Outpost vulnerability without giving us the wherewithal to address the issue directly and protect our customers.

This would seem to be in direct contravention of the group’s claim that their goal is to improve end-user security

Moreover it is a breach of common industry practices such as those cited at:

So, unlike other researchers, Matousek appears to be trying to gain some kind of promotion for themselves by posting the bugs without informing vendors beforehand

Second, Matousec tested Outpost only after he first modified the sandbox.sys module in Outpost (BTP00003P004AO.zip). This is a violation of the End-User-License-Agreement (EULA) and International Copyright Treaties.

As for the vulnerability itself, yes, it may become a risk if the user is logged in with administrative privileges and launches an unknown application that is actually a malicious script. But in this case, the user would be vulnerable no matter what security programs that user is running as intruders can use this type of code to perform almost any kind of malicious activity on a victim’s computer.

In any case, I would just like to re-emphasize that we take the security of our end users extremely seriously, and a bug-fix release dealing with this issue will be issued within the next two weeks.

Mikhail Zakhryapin
President & CEO, Agnitum Ltd.


Anonymous said...

Most unsporting to work against a 'free version' vendor like this.
Maybe they missed the 'public spirit' part of their college course? (If any-just!)
What is the situation now ,at end-March '07 ? 5k

Agnitum BLOG said...

Since then Agnitum has fixed all bugs and vulnerabilities that were discovered by ourselves or reported to us.

Pavel Goryakin
Agnitum Ltd.

Rosie said...

These comments have been invaluable to me as is this whole site. I thank you for your comment.

Anonymous said...

Get used to it:

Students need money just like 'official' security researchers.

Beware, the next exploit maybe sold indirectly e.g. via WabiSabiLabi, and crackers may buy it if you don't.

BTW I am an unhappy customer and think you need to properly fix your existing products (obsolete logging db) instead of nagging customer to pay extra for the Security Suite.

Anonymous said...

>you need to properly fix your existing products (obsolete logging db)

+1. We won't buy legal Outpost till logging issues are solved

Agnitum BLOG said...

By the way, in Outpost Security Suite 2008, public beta (to be launched soon), log files will be available in an open format, so they can be viewed with third-party software.